On most part of sites "remember me" checkbox in login form is disabled by default. Most part of users after login would like to stay logged in. It annoys users each time to enter username and password just because user forget to check "remember me" checkbox.

Why not just enable "remember me" checkbox by default?

If user does not want to be remembered, he can just uncheck the checkbox.

Update: "remember me" checkbox in Gmail login forms is disabled by default, but if user login and enable it - than this choice is saved to cookies and "rem me" will be enabled by default during next login.

You're being quite subjective with your question, it sounds like you've made up your mind and are just looking for someone to validate it rather than genuinely wanting an actual answer. Points such as "It annoys users each time to enter username and password just because user forget to check "remember me" checkbox" may not be factually correct, you're just assuming this to be the case.
–
JonW♦May 3 '12 at 23:04

3

@GotDibbs as Myrddin Emrys said: "If you visit Google and log in for the first time, the 'Stay signed in' checkbox is disabled. If you choose to enable it, then it remembers your preference and stays checked the next time you visit." I checked it and it is true: Google offers "rem me" disabled by default and saves users choice to cookie.
–
webvitalyMay 3 '12 at 23:08

2

@webvitaly you keep stating in your comments on the answers to this post that users prefer to stay logged in, but where is your evidence that this is the case? Making assumptions especially when they concern user security is a very dangerous position to take.
–
JonW♦May 4 '12 at 7:57

3

@webvitaly the issue is not about what I think (nor what any individual person thinks) but what provides the best overall experience and benefit for users as a whole.
–
JonW♦May 4 '12 at 10:33

9 Answers
9

If you think about it, clearly, and logically the default value must be "off". This can be proven if you look at the use cases of the sign in life cycle.

Let me explain, by comparing the browsing behavior of two different types of users. User #A will be one who likes remember me disabled, and User #B likes to have it enabled. Let's compare what happens to both users given the two possible default values "on" and "off". NOTE: I'm talking about the risks of setting a default value.

Default for Remember Me is "off"

User #A when going to the website is presented with the log in screen. They enter their username/password and click the sign in button. They are granted access, but when they close the browser their session is ended. They will be prompted again for their password next time they visit, and this is good for this user.

User #B when going to the website it's the same thing. They enter their username/password and click sign in button (they forget to click "remember me"). When they leave, they are signed out. This is not "liked" by the user but there is no security problem.

Default for Remember Me is "on"

User #A goes to the website, enters their username/password and clicks the sign in button. Their session becomes permanent. The next time someone visits from that computer they will be granted access. This is not liked by this user, and is a security problem.

User #B goes to the website, enters their username/password and clicks the sign in button. Their session becomes permanent. This is accepted by the user, they don't mind the security risk

Result

It's clear, that when remember me is on. Both use cases present a security problem when the user fails to change the state of the "remember me" check box. It doesn't really matter that User #B doesn't mind that the risk is there.

The point here is that when the default is "off", should both users login with out changing the value then there is no security risk.

Further more, now that many third-party websites are using open authentication. Users who leave themselves logged into Facebook/Google/Yahoo/Twitter are also granting access to thousands of other websites that use oAuth services for registration and authentication.

If someone gains access to your Facebook account, then they can go to the Apps section and gain access to all the other websites you've used Facebook to sign into. The same for Google, Twitter, GMail, etc.. etc..

Thanks for the great answer. I could agree with you about enabled "rem me" by default on popular sites (facebook, google) or secured (PayPal, Ebay). And what about smaller sites? IMHO there is no big risk or security problems to leave "rem me" enabled by default.
–
webvitalyMay 4 '12 at 5:53

4

@webvitaly: really? Don't assume security isn't a problem because the information is trivial. I don't have anything to hide, yet I don't want just anybody to be able to read stuff that is addressed to or written by me (including the old-fashioned postman).
–
Marjan VenemaMay 4 '12 at 6:18

2

@webvitaly: sounds like what you want is "late authentication" where a user's session can be restored without prompting for a password (remember me). That user can use the website as the previous user, but the moment they attempt to perform a risky action (delete, edit, create) then their ID can be authenticated by prompting for a password. Example, you can log into a message board as yourself without being prompted, but the first time you try to post something it asks for your password, or when you try to read private messages. Maybe posting doesn't required it, but private messages do.
–
Mathew FoscariniMay 4 '12 at 14:39

1

@webvitaly. I think you're guilty of what you're accusing me of. It's annoying for you to enter your username and password each time you go to a site, but do you have any evidence that this is the case with the majority of users? And if most users don't care what is set by default, it's all the more important that we are careful with what we set by default since security now falls back to us since the users don't care. So we should give them the safest setting (in this case uncheck the remember me) instead of default to a dangerous setting.
–
Frank BJul 11 '13 at 14:31

What happens if you log in from an Internet Cafe or your mate's laptop and forget to sign out properly?

The next person who uses that machine (either a random person of the street or your mate) will be able to log into your account on that site. Now, while that might not be an issue for IMDb or Code Project, it would be a big deal if it were Amazon or your bank.

Ooh, I forgot about public computers. Good catch.
–
Myrddin EmrysMay 3 '12 at 21:25

To ChrisF: what is the average percentage of your logins when you clicked remember me? 80, or more, or less? Ok, if the site is very secured (PayPal or Amazon) than "remember me" could be disabled by default. But in all other cases 80% of the users should click "remember me" checkbox because a few people sometime uses friend's laptops. IMHO it does not worth it. Google solve this problem perfectly: they give ability for user to "sign out all other sessions" on ther computers where you are logged in.
–
webvitalyMay 3 '12 at 21:54

@webvitaly - I don't know what % of sites I stay logged in on. However, I don't tend to log in from public computers either.
–
ChrisFMay 3 '12 at 21:55

"I don't know what % of sites I stay logged in on" - I will try to guess, most of them. :) "I don't tend to log in from public computers either" - awesome, you can just disable "rem me" checkbox and that's it. Logins on public or other's computers is the minority. So why does majority should click this checkbox? :)
–
webvitalyMay 3 '12 at 21:59

1

I made one experiment on one site: few days "rem me" was disabled and majority of users (80%) leave it disabled. Then during next few days I enabled "rem me" by default and guess what? 80% of users left "rem me" enabled. It means, that most part of users does not click that checkbox and users like decitions to be made for them. And, as I already said, it annoys users each time to enter username and password just because user forget to check "remember me" checkbox.
–
webvitalyMay 3 '12 at 22:04

Privacy. Opt-in vs opt-out. While I do usually choose to have a site remember me, there are many people who get upset or creeped out by a site that automatically knows who they are when they return. In general all privacy related activities should be opt-in because of this.

In addition, the 'Remember me' box is so short and clear that users will see it and understand it even though they only skim pages and almost never read much text.

"there are many people who get upset or creeped out by a site that automatically knows who they are when they return" - very strange users :) I have published some comments for prev answer and there are some related to your answer. You may check them, maybe you have something to add.
–
webvitalyMay 3 '12 at 22:02

1

Try working with older users sometimes, or those new to the Internet; you will find some odd reactions at times. Then look at the prevalence of plugins that block all cookies. Two ends of the spectrum (unsavvy and very savvy) who both do not want a site to remember them.
–
Myrddin EmrysMay 3 '12 at 22:21

Google works with older users too, but "rem me" checkbox in their login forms is enabled by default. And users love it and this is pretty useful.
–
webvitalyMay 3 '12 at 22:27

2

You are incorrect sir. If you visit Google and log in for the first time, the 'Stay signed in' checkbox is disabled. If you choose to enable it, then it remembers your preference and stays checked the next time you visit. Try visiting their site from a fresh browser with no cookies and you will see this. Google uses opt-in as well.
–
Myrddin EmrysMay 3 '12 at 22:42

+1, Yes, you are right, "rem me" is disabled by default for the first time and user's choice about this checkbox saved to cookies. Ok, so Google offers "rem me" disabled and saves users choice. Does this solve problem with public computers? If prev user checked "rem me" checkbox and will logout, so the next user will see "rem me" enabled too. IMHO, majority of users would rather have "rem me" enabled by dafault and they could uncheck it if they want to.
–
webvitalyMay 3 '12 at 23:02

On a related note, adding an additional step to "remember me", such as asking the user to name the present computer, would only represent a tiny burden and could allow users to see what machines they're logged in on, and log off of any machines they no longer control.
–
supercatSep 10 '14 at 21:11

There are two cases for "Remember me" or another check box "keep me signed in" functionality:

Case I: When user is using a personal computer / workstation or mobile device , they often opt for remember me option or keep me signed in option to save time for repeated login or use. That's common, most of us would not like to reenter same and same credentials for multiple websites or apps that we use daily.

Case II: When we use shared systems with in family or at any Cyber Cafe, we would not like to opt for remember me feature. That's generic thing.

What should be the default status of Remember Me check box?

In my opinion, it depends on the type of service or app being used. For example, for social networking sites / apps like Facebook , Twitter, etc user maximum user would choose Remember me for frequent login. But for Apps or Services like a Banking app, funds transfer, Book keeping , commercial services, etc maximum user would not prefer remember me functionality and most of the service provider do not even offer this feature.

I've never understood that checkbox. It isn't at the right place (how can you remember me if you don't know who I am?). After the user has signed in for the first time on a particular computer, show an unobstrusive popup asking if the credentials should be remembered on that specific computer.

This opt-in has more to do with ethics. You are creating a cookie on the user's computer; cookies are generally harmless but they're still technically invasive. Thus, you make the user grant permission via checking the checkbox.

Newsletter signups on the web tend to be opt-out, and I think they should be opt-in, but the potential consequences aren't as bad as with login forms.

The logic in the answers on this page are all correct, but there is something people are not considering which may change the answer depending on the type of product.

95% of the time you are accessing a website from a device you trust, so the odds are that this is what is best for the user

even when it is best for the user, many users will forget to the check the box, or not understand it's purpose, or not care to think about it since they are in a rush - often people don't change default settings

the next time they try to use your site (imagine them on mobile, at a party - where typing/remembering emails/passwords is challenging) you have presented them with a hurdle to using it, and they may just give up and not use it at all right then

in this case you have created a bad experience for most of your users, by choosing the wrong default setting

some websites have a sign in state that still prompts you for additional verification (usually two factor authentication) when you are doing especially sensitive actions

So the argument here is that you may want to encourage this behavior for your users so they will have a better experience with your product, if you feel it outweighs the security risk for the smaller percentage of users on public or shared computers.

I've never seen any research on this question (of users who should enable 'remember me' how many actually do it and when?) but it wouldn't surprise if me if something like 50% of users don't use that setting correctly on the first 3 sign ins.

The counter argument is that even if they mess it up the first few times, they will eventually get it and they only need to get it right once per device (assuming you are not resetting all session periodically etc). However, this can still be 2-3 signins per device or something before they get it all set up correctly on their laptop, mobile, etc.

Funny, I always default the remember me checkbox to off, but I do it in defense of the site owner. My logic works like this...

A user account gets accessed by another unauthorized user and real substantive damage is done to the owner of the account. This damage can take many forms, including theft of a credit balance on the site, the unauthorized sale of assets through the site, or just the release of confidential information (the user's medical records, emails, etc) into general public knowledge.

Now imagine that the scale of the damage is large enough to warrant legal action and the victim sues the site owner. Even with beautifully written terms-of-use and user-access-agreement documents integrated into the site's registration process, even with if you require strong passwords and expire passwords, wouldn't you want to be able to tell a judge that the site was designed with user's security as its primary concern?

The remember-me checkbox is the single most visible expression of a site's attitude towards user security. Defaulting it to off declares quite publically that you value a user's safety more than their convenience.